01-30-2010 02:43 AM - edited 03-11-2019 10:03 AM
Hi All,
I am attempting to forward port 80 and port 25 from an IPCop FW connected to Internet via the ADSL router port and my Cisco FW connected in the protected area (Green Zone) of my LAN. A similar diagram of my network is depicted in the Cisco link https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml. The only differences are the TCP-IP addresses and the Outside Cloud which is Internet in my case.
I would greatly appreciate an hint or a clue which helps me to fix this issue I have.
Data which may better help you to understand the environment, if you can assist.
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1) -------> works well if directly connected to the ADSL Router and to Internet. Everything works. Good configuration available in the attachement.
IPCop 1.4.2 ------> works well if directly connected to the ADSL Router and to Internet. I can HTTP from Internet to an a Web Server directly connected to its internat Interface. I.e. 172.16.0.8.
What exactly doesn't work:
My SMTP, DNS and MAIL server public address is 82.70.219.162. If you ping to this address it responds. However, if you try to telnet to port 25, it doesn't respond. So, I am almost sure there is a rule which prevents the port forwarding to my server 194.20.23.180, which Cisco NAT translates to 82.70.219.162.
Attached:
A working configuration when Cisco is directly connected to Internet;
A non working configuration when Cisco is not directly connected to Internet. (File Cisco_Config_3001.txt)
Thanks.
Regards
Salvo
02-15-2010 07:28 AM
Hi,
I believe this is the set up which is not working:
194.20.23.180(server)-->(194.20.23.181)PIX(172.16.0.2)-->(172.16.0.1)IP Cop(82.70.219.163)-->(82.70.219.166) ADSL router-->Internet
Following is relevant configuration on PIX:
name 194.20.23.180 linux
name 82.70.219.162 mailgate
ip address outside 172.16.0.2 255.255.255.0
ip address inside 194.20.23.181 255.255.255.0
access-list outside permit tcp any host mailgate eq smtp log
access-list outside permit tcp any host mailgate eq www log
static (inside,outside) tcp mailgate www linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp mailgate smtp linux smtp netmask 255.255.255.255 0 0
route outside mailgate 255.255.255.255 172.16.0.1 1
route inside linux 255.255.255.255 194.20.23.181 1
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
Since we have a static nat translation for linux with mailgate on PIX, i believe IP Cop is not doing the translation for mailgate IP but since 82.70.219.x subnet is directly connected to IP Cop it will never forward the traffic for 82.70.219.162 to PIX as directly connected network takes precedence over static routes.
Here is an option to get this working with this setup:
Translation on IP Cop:
82.70.219.162-->172.16.0.10(any free IP of this range)
On PIX translation:
172.16.0.10-->194.20.23.180
i.e.
static (inside,outside) tcp 172.16.0.10 smtp 194.20.23.180 smtp netmask 255.255.255.255
static (inside,outside) tcp 172.16.0.10 http 194.20.23.180 http netmask 255.255.255.255
access-list outside permit tcp any host 172.16.0.10 eq smtp log
access-list outside permit tcp any host 172.16.0.10 eq www log
I hope this helps.
Warm Regards,
Sourav Kakkar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide